Why is the wlbsctrl.dll privilege escalation considered an old vulnerability, and what condition must be met for standard users to exploit it?

The vulnerability was publicly disclosed as early as October 9, 2012 (HTB23108). It relies on the fact that the IKEEXT service loads wlbsctrl.dll without specifying an absolute path under default Windows configurations. For a standard user to exploit it, they must find a directory in the PATH environment variable that is writable by their user account. With SafeDllSearchMode enabled, the search order includes the system directory, Windows directory, and current directory—so a writable directory early in the PATH allows placing a malicious wlbsctrl.dll there. The user then triggers the service using `rasdial` with a crafted `rasphone.pbk` file, as detailed in the Expansion on the Exploitation of "Lateral Movement — SCM and DLL Hijacking Primer".